am d8800a10: am cd82557d: Restrict service_manager find and list access.

* commit 'd8800a10fa987bac8234d87f1d4ff83d90966053':
  Restrict service_manager find and list access.
This commit is contained in:
dcashman 2014-12-16 23:01:31 +00:00 committed by Android Git Automerger
commit 49e7e0c248
18 changed files with 72 additions and 140 deletions

View file

@ -83,8 +83,4 @@ allow adbd system_file:file r_file_perms;
allow adbd kernel:security read_policy;
service_manager_local_audit_domain(adbd)
auditallow adbd {
service_manager_type
-surfaceflinger_service
}:service_manager find;
allow adbd surfaceflinger_service:service_manager find;

View file

@ -49,14 +49,9 @@ allow bluetooth bluetooth_prop:property_service set;
allow bluetooth pan_result_prop:property_service set;
allow bluetooth ctl_dhcp_pan_prop:property_service set;
# Audited locally.
service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
service_manager_type
-bluetooth_service
-radio_service
-system_server_service
}:service_manager find;
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth system_server_service:service_manager find;
###
### Neverallow rules

View file

@ -16,6 +16,4 @@ allow bootanim oemfs:file r_file_perms;
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
# Audited locally.
service_manager_local_audit_domain(bootanim)
auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;

View file

@ -165,11 +165,6 @@ allow domain security_file:lnk_file r_file_perms;
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
allow domain servicemanager:service_manager list;
auditallow { domain -dumpstate } servicemanager:service_manager list;
allow domain service_manager_type:service_manager find;
auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
###
### neverallow rules
###

View file

@ -45,18 +45,11 @@ allow drmserver asec_apk_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
allow drmserver drmserver_service:service_manager add;
# /oem access
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
# Audited locally.
service_manager_local_audit_domain(drmserver)
auditallow drmserver {
service_manager_type
-drmserver_service
-system_server_service
}:service_manager find;
allow drmserver drmserver_service:service_manager { add find };
allow drmserver system_server_service:service_manager find;
selinux_check_access(drmserver)

View file

@ -106,17 +106,15 @@ allow dumpstate tombstone_data_file:file r_file_perms;
# Access /system/bin executables to determine type of executable.
allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms;
service_manager_local_audit_domain(dumpstate)
auditallow dumpstate {
service_manager_type
-drmserver_service
-healthd_service
-inputflinger_service
-keystore_service
-mediaserver_service
-nfc_service
-radio_service
-surfaceflinger_service
-system_app_service
-system_server_service
allow dumpstate {
drmserver_service
healthd_service
inputflinger_service
keystore_service
mediaserver_service
nfc_service
radio_service
surfaceflinger_service
system_app_service
system_server_service
}:service_manager find;

View file

@ -38,11 +38,7 @@ allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
allow healthd healthd_service:service_manager add;
# Audited locally.
service_manager_local_audit_domain(healthd)
auditallow healthd { service_manager_type -healthd_service }:service_manager find;
allow healthd healthd_service:service_manager { add find };
# Healthd needs to tell init to continue the boot
# process when running in charger mode.

View file

@ -8,8 +8,4 @@ binder_service(inputflinger)
binder_call(inputflinger, system_server)
allow inputflinger inputflinger_service:service_manager add;
# Audited locally.
service_manager_local_audit_domain(inputflinger)
auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
allow inputflinger inputflinger_service:service_manager { add find };

View file

@ -21,11 +21,6 @@ neverallow isolated_app app_data_file:file open;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:file { rw_file_perms execute };
# Audited locally.
service_manager_local_audit_domain(isolated_app)
auditallow isolated_app {
service_manager_type
-radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;
allow isolated_app radio_service:service_manager find;
allow isolated_app surfaceflinger_service:service_manager find;
allow isolated_app system_server_service:service_manager find;

View file

@ -26,11 +26,7 @@ neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
allow keystore keystore_service:service_manager add;
# Audited locally.
service_manager_local_audit_domain(keystore)
auditallow keystore { service_manager_type -keystore_service }:service_manager find;
allow keystore keystore_service:service_manager { add find };
# Check SELinux permissions.
selinux_check_access(keystore)

View file

@ -78,22 +78,15 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
allow mediaserver mediaserver_service:service_manager add;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver system_server_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
# Audited locally.
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
service_manager_type
-drmserver_service
-mediaserver_service
-system_server_service
-surfaceflinger_service
}:service_manager find;
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights

12
nfc.te
View file

@ -18,13 +18,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager add;
# Audited locally.
service_manager_local_audit_domain(nfc)
auditallow nfc {
service_manager_type
-mediaserver_service
-surfaceflinger_service
-system_server_service
}:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
allow nfc system_server_service:service_manager find;

View file

@ -28,12 +28,7 @@ allow platform_app media_rw_data_file:file create_file_perms;
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
# Audited locally.
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
service_manager_type
-mediaserver_service
-radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;
allow platform_app mediaserver_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app system_server_service:service_manager find;

View file

@ -30,14 +30,7 @@ auditallow radio system_radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
allow radio radio_service:service_manager add;
# Audited locally.
service_manager_local_audit_domain(radio)
auditallow radio {
service_manager_type
-mediaserver_service
-radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio system_server_service:service_manager find;

View file

@ -57,15 +57,11 @@ r_dir_file(surfaceflinger, dumpstate)
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
allow surfaceflinger surfaceflinger_service:service_manager add;
# Audited locally.
service_manager_local_audit_domain(surfaceflinger)
auditallow surfaceflinger {
service_manager_type
-surfaceflinger_service
-system_server_service
}:service_manager find;
# media.player service
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger system_server_service:service_manager find;
###
### Neverallow rules

View file

@ -48,7 +48,12 @@ allow system_app anr_data_file:file create_file_perms;
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
allow system_app keystore_service:service_manager find;
allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
allow system_app system_server_service:service_manager find;
allow system_app keystore:keystore_key {
test
@ -70,14 +75,3 @@ allow system_app keystore:keystore_key {
};
control_logd(system_app)
# Audited locally.
service_manager_local_audit_domain(system_app)
auditallow system_app {
service_manager_type
-keystore_service
-nfc_service
-radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;

View file

@ -368,10 +368,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
allow system_server system_server_service:service_manager add;
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
# Audited locally.
service_manager_local_audit_domain(system_server)
# TODO: Remove. Make up for previously lacking auditing.
allow system_server service_manager_type:service_manager find;
auditallow system_server {
service_manager_type
-healthd_service
-keystore_service
-mediaserver_service
-radio_service
-system_server_service
-surfaceflinger_service
}:service_manager find;
allow system_server keystore:keystore_key {
test

View file

@ -71,18 +71,13 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
# Audited locally.
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
service_manager_type
-drmserver_service
-keystore_service
-mediaserver_service
-nfc_service
-radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app keystore_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app system_server_service:service_manager find;
###
### neverallow rules